CoinVault ransomware allows victims to decrypt one file for free

The CoinVault ransomware adds a new twist to ransomware, with cybercriminals allowing victims to decrypt one file for free

The CoinValut ransomware victimizes businesses, encrypting critical work files - but there is an added twist with this particular piece of software. The criminals provide one free decrypt, providing access to a file, trying to provide additional faith in victims.

CoinVault uses 256-bit AES encryption, and the decryption keys are stored on remote servers - and Windows files cannot be recovered unless the bitcoin payment is submitted to cybercriminals. Victims are ordered to pay 0.5 bitcoins, around $200 at current market prices, with the price increasing every 24 hours.

Ransomware attacks typically rely on employees falling prey to social engineering techniques, designed to trick users into clicking suspicious links or downloading unknown files.

read more from other web site information 

CoinVault changes up traditional ransomware techniques

November 24, 2014

A newly identified ransomware takes extra precaution to hide from researchers and possibly show good faith on the attackers' part.

When successfully executed, a ransomware attack encrypts a victim's files and then leaves it up to the victim to determine whether to trust the attackers enough to pay their demanded fees. 

Now, however, a newly identified ransomware, ‘CoinVault,' is changing up these tactics by offering victims a “free decrypt,” possibly to show good faith on the attackers' side, according to a SecureList blog post. Santiago Pontiroli, security researcher, Global Research and Analysis Team, Kaspersky Lab, said in an interview with SCMagazine.com that this free file doesn't prove much.

“It's still sending private information from you to the cyber criminals,” Pontiroli said. “Even if it works, nothing guarantees that they (the attackers) will keep their word.”

Even more interesting than CoinVault's free decrypt is the malware's intense measures to keep itself hidden, particularly from researchers.

As compared to CryptoLocker, for example, getting a sample of CoinVault requires passing through multiple security layers and dealing with string keys and byte arrays to eventually get to the malicious payload. Ultimately, Pontiroli explained, researchers can get to the sample, but it takes time.

“They make that effort (to delay analysis) because it's more money for them,” he said. Pontiroli also believes the attackers could have been analysts because the ransomware specifically checks for tools analysts use, including Sandboxie and Wireshark.

The extra time bought from instilling these security layers allows attackers to test their malicious code, alter it and begin cashing in, all before researchers' blog posts are released.

CoinVault doesn't vary much from traditional attacks in that it requests victims use bitcoins to recover their files, and if no payment is received within 24 hours, the ransom increases. 

Pontiroli recommends that all IT security professionals maintain a backup policy to ensure files can be recovered in the event of infection.

“If you have a backup policy in place, then don't pay,” he said. “If you keep paying then this business will go on forever.”

People around the world have complained of CoinVault infecting their computers and a large portion have been based in the U.S.

one more web site information 

CoinVault

CoinVault

Today we encountered a new type of encrypting ransomware that looks to be of the cryptographic locker family. It employs the same method of encryption and has a very similar GUI (kills VSS, increases required payment every 24hr, uses bitcoin payment, ect.).

CoinVault GUI

Here is the background that it creates – also very similar.

What’s unique about this variant that I wanted to share with you all is that this is the first Encrypting Ransomware that I’ve seen which actually gives you a free decrypt. It will let you pick any single file that you need after encryption and will decrypt it for you.

It even works too! How nice of of them.

This is a really interesting feature and it gives a good insight into what the actual decryption routine is like if you find yourself actually having to pay them. I suspect that this freebie will increase the number of people who will pay.

Webroot will catch this specific variant in real time and heuristically before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.